Hello all, I recently received this e-mail notifying me of a new e-mail address that was added to my Paypal account. I broke down the steps I took to analyze the e-mail first to identify that it was a phishing scam and then to track down the steps this Scammer used and identify the systems in use.
I have provided the e-mail and a synopsis along with a link to the original full forensics. Synopsis: 1. The e-mail was sent from a Comcast network in Indianapolis from a windows machine running outlook express. The Scammer used a Yahoo name on the account. 2. The domain was registered through a proxy domain registration company which uses Yahoo's DNS and provided a web server through Yahoo. 3. The Yahoo web server redirects the user to an Oracle web server on port 84 running in Seoul, Korea. 4. Finally, when you put in your username and password it tells you the system is down for maintenance, but does take the time to ask you for your credit card and pin numbers! Notes: The Scammer does use an interesting approach in eliminating the address bar and using a graphics of an address bar in it's place showing a Paypal login account. To see the the full analysis click here: http://dsb.igxglobal.com/plugins/content/content.php?content.37 Babak Pasdar Founder / Chief Technology & Information Security Officer Support the Daily Security Briefing Web Site and Register Here: http://dsb.igxglobal.com For this week's DSB/Week-in-Review Audio/Video Security Report: http://dsb.igxglobal.com/news.php?item.50.4 To register for a Daily Security Intelligence e-mail: http://www.igxglobal.com/dsb/register.html Get your security news via Podcast: http://dsb.igxglobal.com/page.php?11 Return-Path: <[EMAIL PROTECTED]> Received: from groupware.igxglobal.com ([unix socket]) by groupware (Cyrus v2.1.16) with LMTP; Tue, 14 Feb 2006 11:48:09 -0500 X-Sieve: CMU Sieve 2.2 Received: from mail5.igxglobal.com (unknown [192.168.27.51]) by groupware.igxglobal.com (Postfix) with ESMTP id 910DD32C082 for <[EMAIL PROTECTED]>; Tue, 14 Feb 2006 11:48:09 -0500 (EST) Received: from c-68-58-4-141.hsd1.in.comcast.net (HELO compaq) ([68.58.4.141]) by mail5.igxglobal.com with SMTP; 14 Feb 2006 11:48:09 -0500 Message-Id: <[EMAIL PROTECTED]> X-BrightmailFiltered: true X-Brightmail-Tracker: AAAAAA== X-IronPort-AV: i="4.02,114,1139202000"; d="scan'208,217"; a="4072399:sNHT36133904" Reply-To: [EMAIL PROTECTED] From: PayPal Security <[EMAIL PROTECTED]> Subject: New email address added to your account ! Date: Tue, 14 Feb 2006 11:48:06 -0500 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 To: undisclosed-recipients : ; X-Evolution-Source: imap://bpasdar;[EMAIL PROTECTED]/ You've added an additional email address to your PayPal account. If you don’t agree with this email [EMAIL PROTECTED] and if you need assistance with your account, please click here to login to your account. To make sure you can use your PayPal account the next time you make a purchase, all you need to do is confirm or not your email address. If your email program has problems with hypertext links, you may also confirm your email address by logging in to your account. Thank you for using PayPal! The PayPal Team ---------------------------------------------------------------- Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click the Help link located in the top right corner of any PayPal page. ---------------------------------------------------------------- PayPal Email ID PP059 HEMFBKCMCUNCRVRFYOEGZWKZKENTMXZBPDSJBD
signature.asc
Description: This is a digitally signed message part
_________________________________ igxglobal utilizes state of the art technology from PGP to ensure the safeguard of all electronic correspondences. This message could have been secured by PGP Universal. To secure future messages from this sender, please click this link and contact your representative at igxglobal for further information: https://keys.igxglobal.com/b/b.e?r=full-disclosure%40lists.grok.org.uk&n=4Njq7juzEf1Yn9MHjRn9Ow%3D%3D
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/